Thanks for that analysis, James. Using James' analysis as a starting point, I dug into some of the usages of the 'zipOpenNewFile*' functions.
nodejs-18.13.0+dfsg1: The Node.js source code includes a copy of the zlib source code. This copy was patched over a month ago. mariadb-10.11.4: The MariaDB source code includes a copy of the zlib source code. This copy has not been patched. This implies MariaDB should be mentioned in this CVE but is not. After checking two common packages and seeing the same, someone nonstandard pattern, I downloaded and compiled zlib myself. By default, it does not appear that any of the minizip functions are included in any header file or library installed as part of the normal zlib './configure && make && make install'. So perhaps all these usages of these functions are associated with downstream software closing zlib source into their code? If that is the case, what does that mean for this CVE and actually creating a coherent response across all these packages? -- David Dooling
